1 NETWORK SECURITY POLICY Version: 0.2 Committee Approved by: Audit Committee Date Approved: 15 th January 2014 Author: Responsible Directorate Information Governance & Security Officer, The Health Informatics Service Governance Date Issued February 2014 Review Date February 2016
2 Version Control Sheet Document Title: Network Security Policy Version: 0.2 The table below logs the history of the steps in development of the document. See example below Version Date Author Status Comment 0.1 Feb th Jan 2014 Draft APPROVED Shared with Governance & Corporate Manager for initial comments Approved by Audit Committee
3 1 Introduction 2 Objective 3 Scope of this policy 4 Accountability 5 Definition of terms 6 Procedure 7 Training needs analysis 8 Equality impact assessment 9 Implementation and dissemination 10 Monitoring compliance with and the effectiveness of the policy 11 References 12 Associated documentation Appendix A Application for Remote Access
4 1 INTRODUCTION 1.1 This document defines the Network Security Policy for NHS North Kirklees Commissioning Group (referred to hereafter as the CCG). This policy is adhered to and supported by The Health Informatics Service (THIS) who are hosted by Calderdale and Huddersfield NHS Foundation Trust. 1.2 THIS provide IT support for the CCG via a contract with West & South Yorkshire & Bassetlaw Commissioning Support Unit (WSYBCSU). The requirements of this policy are consistent with the equivalent policies for neighbouring organisations that share common networks or receive services from THIS. The Network Security Policy applies to all business functions and information contained on the network, the physical environment and relevant people who support the network. 1.3 This document: a) Sets out the CCG's policy for the protection of the confidentiality, integrity and availability of the network; b) Establishes the security responsibilities for network security; c) Provides reference to documentation relevant to this policy. 2 AIMS & OBJECTIVES 2.1 The objective of this policy is to ensure the security of the CCG s network. To do this the CCG will: a) Ensure Availability Ensure that the system is available for users; b) Preserve Integrity Protect the network from unauthorised or accidental modification; c) Preserve Confidentiality Protect assets against unauthorised disclosure. 2.2 The purpose of this policy is to ensure the proper use of the CCG s network and make users aware of what the CCG deems as acceptable and unacceptable use of its network. 2.3 If there is evidence that any user is not adhering to the guidelines set out in this policy, this will be dealt with under the CCG s Disciplinary Procedure. 3 SCOPE OF THIS POLICY 3.1 The policy applies to all networks within the CCG used for:
5 a) The storage, sharing and transmission of non clinical data and images; b) The storage, sharing and transmission of clinical data and images; c) Printing or scanning non clinical or clinical data or images; d) The provision of internet systems for receiving, sending and storing non clinical or clinical data or images. 4. ACCOUNTABILITY 4.1 The Governing Body The Governing Body is responsible for ensuring that the necessary support and resources are available for the effective implementation of this Policy. 4.2 The Audit Committee The Audit Committee is responsible for the review and approval of this policy. 4.3 Chief Officer The Chief Officer has organisational responsibility for all aspects of Information Governance and is the Senior Information Risk Owner (SIRO) which includes responsibility for ensuring the CCG has appropriate systems and policies in place to ensure that the CCG has robust Network Security procedures in place 4.4 Heads of Service Heads of Service are responsible for ensuring that they and their staff are adequately trained, and are familiar with the content of this policy. 4.6 The Health Informatics Service (THIS) The Health Informatics Service s role, as determined through agreement with WSYBCSU, will: Implement an effective framework for the management of Network security in line with the CCG requirement Assist in the formulation of Information Network Policy and related policies and procedures Advise on the content and implementation of the relevant action plans Co-ordinate network security activities particularly those related to shared information systems or IT infrastructures Ensure that risks to IT systems are reduced to an acceptable level by applying security countermeasures identified following an assessment of the risk.
6 4.6.7 Ensure the systems, application and/or development of required policy standards and procedures in accordance with business needs, policy and guidance Ensure that access to the organisation's network is limited to those who have the necessary authority and clearance Advise on the accreditation of IT systems, applications and networks Support incident assessments, where necessary 4.8 Employees All personnel or agents acting for the organisation have a duty to: Safeguard hardware, software and information in their care Prevent the introduction of malicious software on the organisation's IT systems Users are responsible for ensuring their password is kept secret - passwords should not be shared Report on any suspected or actual breaches in security through the CCG s incident reporting mechanism s If you do not have any questions the CCG presumes that you understand and are aware of the rules and guidelines in the policy and will adhere to them. 5 NETWORK DEFINITION 5.1 The network is a collection of electronic devices such as servers, computers, printers and modems, which have been connected together by cables or wireless devices. The network is created to share data, software and peripherals, such as printers, modems, fax machines, internet connections, CD-ROM and tape drives, hard disks and other data storage equipment. 6 PROCEDURE 6.1 The overall Network Security Policy for the CCG is described below: The CCG information network will be available when needed and can be accessed only by legitimate users. The network must also be able to withstand or recover from threats to its availability, integrity and confidentiality. To satisfy this, the CCG will undertake the following:
7 a) Protect all hardware, software and information assets under its control. This will be achieved by implementing a set of well balanced technical and non technical measures; b) Provide both effective and cost effective protection that is commensurate with the risks to its network assets; c) Implement the Network Security Policy in a consistent, timely and cost effective manner; d) Where relevant, the CCG will comply with: - Copyright, Designs & Patents Act Access to Health Records Act Computer Misuse Act The Data Protection Act The Human Rights Act Electronic Communications Act Regulation of Investigatory Powers Act Freedom of Information Act Environmental Information Regulations Health & Social Care Act 2001 e) The CCG will comply with other laws and legislation as appropriate. 6.2 RISK ASSESSMENT THIS will carry out security risk assessment(s) in relation to all the business processes covered by this policy. These risk assessments will cover all aspects of the network that are used to support those business processes. The risk assessment will identify the appropriate security countermeasures necessary to protect against possible breaches in confidentiality, integrity and availability Risk assessment will be conducted to determine the IT Security (ITSEC) Assurance levels required for security barriers that protect the network Formal risk assessments will be conducted using CRAMM and will conform to ISO PHYSICAL AND ENVIRONMENTAL SECURITY Network computer equipment will be housed in a controlled and secure environment. Critical or sensitive network equipment will be housed in an environment that has a monitored temperature and power supply.
8 6.3.2 Critical or sensitive network equipment will be housed in secure areas, protected by a secure perimeter, with appropriate security barriers and entry controls Door lock codes will be changed periodically, following a compromise (or suspected compromise) of the code; Critical or sensitive network equipment will be protected from power supply failures Critical or sensitive network equipment will be protected by intruder alarms and fire suppression systems Smoking, eating and drinking is forbidden in areas housing critical or sensitive network equipment All visitors to secure network areas must be authorised by the Head of Professional Services, Portfolio Manager Networks or Portfolio Manager Back Office All visitors to secure network areas must be made aware of network security requirements All visitors to secure network areas must be logged in and out. The log will contain name, organisation, purpose of visit, date, and time in and out THIS Field Support Manager will ensure that all relevant staff are made aware of procedures for visitors Entry to secure areas housing critical or sensitive network equipment will be restricted to those whose job requires it. THIS Field Support Manager will maintain and periodically review a list of those with unsupervised access. 6.4 ACCESS CONTROL TO THE NETWORK Access to the network will be via a secure log-on procedure, designed to minimise the opportunity for unauthorised access. Remote access will be via secure two-part authentication There must be a formal, documented User registration and de-registration procedure for access to the network The departmental manager and the THIS Field Support Manager (or nominated officer) must approve User access Access rights to the network will be allocated on the requirements of the User s job, rather than on a status basis.
9 6.4.5 Security privileges (ie 'Super user' or network administrator rights) to the network will be allocated on the requirements of the user s job, rather than on a status basis Users will be sent a Code of Connection agreement, which they must familiarise themselves with Access will not be granted until the THIS Field Support Manager (or nominated officer) registers a user All users to the network will have their own individual User identification and password Users are responsible for ensuring their password is kept secret (see User Responsibilities) User access rights will be immediately removed or reviewed for those users who have left the CCG or changed jobs, in line with the human resources procedures 6.5 THIRD PARTY ACCESS CONTROL TO THE NETWORK Third party access to the network will be based on a formal contract that satisfies all necessary NHS security conditions and, if applicable, the Statement of Compliance The Network Operations Centre Manager is responsible for ensuring all third party access to the network is logged 6.6 REMOTE ACCESS Remote Access refers to any technology that enables the CCG to connect users from geographically dispersed locations The Health Informatics Service s Network Operations Centre Manager is responsible for ensuring that a formal risk assessment is conducted to assess risks and identify controls needed to reduce risks to an acceptable level The Health Informatics Service s Service Delivery Centre Manager is responsible for providing clear authorisation mechanisms for all remote access users Departmental Managers are responsible for the authorisation of all applications for remote access and for ensuring that appropriate awareness of risks are understood by proposed Users All remote access users are responsible for complying with this policy and associated standards. They must safeguard corporate equipment and information resources and notify the CCG immediately of any security incidents and/or breaches.
10 The Health Informatics Service s Head of Enterprise Services is responsible for ensuring that the Remote Access infrastructure is periodically reviewed, which could include but is not limited to independent third party penetration testing Any person wishing to apply for remote access, must complete the form at Annex A. 6.8 EXTERNAL NETWORK CONNECTIONS Ensure that all connections to external networks and systems have been documented and approved Ensure that all connections to external networks and systems conform to the NHS-wide Network Security Policy, the Statement of Compliance and supporting guidance The Network Operations Centre Manager is responsible for ensuring all connections to external networks and systems are approved before they commence operation. 6.9 MAINTENANCE CONTRACTS The Head of Enterprise Service will ensure that maintenance contracts are maintained and periodically reviewed for all network equipment. All contract details will constitute part of the Information Technology Asset register DATA AND SOFTWARE EXCHANGE Formal agreements for the exchange of data and software between organisations must be approved by the Caldicott Guardian or delegated authority FAULT LOGGING The Service Delivery Centre is responsible for ensuring that a log of all faults on the network is maintained and reviewed NETWORK OPERATING PROCEDURES Clear, documented operating procedures should be prepared for the operation of the network, to ensure its correct, secure operation Changes to operating procedures must be authorised by the Portfolio Manager Networks, and where there is a COIN (Community Of Interest Network)-wide implication this must be done through liaison with Calderdale and Huddersfield NHS Foundation Trust.
11 THIS will implement Security Operating Procedures (SyOps) and security contingency plans that reflect the Network Security Policy DATA BACKUP AND RESTORATION The Field Support Manager is responsible for ensuring that backup copies of switch configuration and data stored on the network are taken regularly A log should be maintained of switch configuration and data backups detailing the date of backup and whether the backup was successful Documented procedures for the backup process will be produced and communicated to all relevant staff Documented procedures for the storage of backup tapes will be produced and communicated to all relevant staff All backup tapes will be stored securely and a copy will be stored off-site Documented procedures for the safe and secure disposal of backup media will be produced and communicated to all relevant staff Users are responsible for ensuring that they store their own data to the network server Patches and any fixes will only be applied by Technologies Service Staff, following suitable change control procedure MALICIOUS SOFTWARE The Field Support Manager must ensure that measures are in place to detect and protect the network from viruses and other malicious software UNAUTHORISED SOFTWARE Use of any non-standard software 1 on CCG equipment must be approved by the Health Informatics Service Desk before installation. All software used on CCG equipment must have a valid licence agreement - it is the responsibility of the Information Asset Owner or Responsible User of non-standard software to ensure that this is the case 6.16 SECURE DISPOSAL OR RE-USE OF EQUIPMENT Ensure that where equipment is being disposed of all data on the equipment (e.g. on hard disks or tapes) is securely overwritten. For advice on assessment of re-use or destruction of equipment contact The Health Informatics Service Desk SYSTEM CHANGE CONTROL 1 Contact the Health Informatics Service Desk for advice on Trust standard software
12 The Service Delivery Centre is responsible for ensuring that appropriate change management processes are in place to review changes to the network; which would include acceptance testing and authorization. The Network Operations Centre Manager is responsible for ensuring all relevant Network documentation is up to date The Project Board and/or the Information Asset Owners are responsible for ensuring that selected hardware and software meets agreed security standards. Testing facilities will be used for all new network systems. Development and operational facilities will be separated SECURITY MONITORING The Network Operations Centre Manager is responsible for ensuring that the network is monitored for potential security breaches. All monitoring will comply with current legislation 6.19 REPORTING DATA SECURITY BREACHES & WEAKNESSES Data Security Breaches and weaknesses, such as the loss of data or the theft of a laptop, must be reported in accordance with the requirements of the CCG incident reporting procedure SYSTEM CONFIGURATION MANAGEMENT The Network Operations Centre Manager will ensure that there is an effective configuration management process for the network DISASTER RECOVERY PLANS The Health Informatics Service will ensure that disaster recovery plans are produced for the network and that these are tested on a regular basis UNATTENDED EQUIPMENT AND CLEAR SCREEN Users must ensure that they protect the network from unauthorised access. They must log off the network when finished working The CCG operates a clear screen policy that means that users must ensure that any equipment logged on to the network must be protected if they leave it unattended, even for a short time. Workstations must be locked or a screensaver password activated if a workstation is left unattended for a short time Users of terminals, which do not have the facility to lock, must log out when not using the terminal..
13 7 TRAINING NEEDS ANALYSIS 7.1 The CCG will provide basic Information Governance training through induction and/or mandatory training. All training throughout the CCG is recorded by WSYBCSU Workforce and Development Team. 8. Equality impact assessment 8.1. CCG aims to design and implement services, policies and measures that meet the diverse needs of our service, population and workforce, ensuring that none are placed at a disadvantage over others. 9. Implementation and dissemination 9.1. Following ratification by the Audit Committee this policy will be disseminated to staff via the CCG s intranet and in house communication mechanisms This Policy will be reviewed every two years or in line with changes to relevant legislation or national guidance. 10. Monitoring compliance with and the effectiveness of the policy An assessment of compliance with requirements, within the Information Governance Toolkit (IGT), will be undertaken each year. Annual reports and proposed work programme will be presented to the Audit Committee for approval. 11. References Freedom of Information Act 2000 Data Protection Act 1998 Human Rights Act 1998 Common Law Duty of Confidence 12 ASSOCIATED DOCUMENTS (Policies, protocols and procedures) Information Security Policy Information Governance Policy and Framework Internet Policy Disciplinary Procedure Confidentiality and Data Protection Policy
14 Annex A APPLICATION FOR REMOTE ACCESS JOB NO To be completed by Health Informatics To ensure that your application is actioned correctly, it is important that all details are completed fully and accurately. If you have any queries please contact The Health Informatics Service Desk , 1. TYPE OF ACCESS REQUIRED Please see point 10 for description, system requirements and costs. Please indicate by a Standard (Webmail Access from any Computer) Advanced (Installed only on a CCG Laptop with Broadband Access from Home)* * The prerequisites for this service are a CCG laptop, broadband router and a home broadband connection.
15 2. APPLICANT DETAILS First Name(s) Last Name Work Tel Number inc STD Job Title Department 3. EMPLOYER DETAILS Who employs you? Please indicate by a Calderdale & Huddersfield NHS Foundation Trust Calderdale CCG Greater Huddersfield CCG North Kirklees CCG Wakefield CCG Social Services Other please state who employs you 4. LOCATION DETAILS Please give full postal address of your place of work
16 5. DECLARATION I have read and understand the terms and conditions of the Policy attached and agree to abide by it. Signed Date 6. AUTHORISED BY (applicant s Line Manager) First Name(s) Last Name Work Tel Number inc STD Job Title Signed Date 7. BUDGET HOLDERS DETAILS AND AUTHORITY I authorise recharging of the costs detailed in section 10 to the following budget code Budget Code First Name(s) Last Name Work Tel Number inc STD Signed Date
17 8. ON COMPLETION OF FORM Please check that this form has been completed fully and accurately. Incomplete/incorrect forms will be returned to you and will result in a delay in providing services. Please return the completed form to The Health Informatics Service Desk, Oak House Woodvale Office park Woodvale Road Brighouse HD6 4AB 5 9. WHAT HAPPENS NEXT The processing of this form will create a request to the Health informatics Service and a job no will be allocated For Standard service (Webmail only Access) you will be notified that the service is activated For Advanced service (Broadband Access) You will be contacted by Service Delivery Staff to make an appointment to configure your Laptop and provide you with training on the use of the Broadband Remote Access software. 10. SYSTEM REQUIREMENTS AND COSTS TYPE REQUIREMENTS COSTS Standard Computer at Home with Internet Access Internet Explorer Advanced Broadband Access at Home CCG supported laptop with Windows 2000/XP, CD ROM drive, Networked FOC Installation, client software and USB token FOC RAS Access 280 per annum Call charges for this service: FOC
19 You should ensure that you have read and understood the Internet Use Policy and the Policy (please speak to your manager to obtain a copy) You must only access internet/ services via an individual login provided specifically for you. You must never share or divulge your individual login and/or password to others for access to the organisation s systems. Do not write passwords down. You may use the internet and services to access research material and other information relevant to your work, provided that it does not interfere with the performance of the network or systems. You may access internet sites and webmail accounts for personal use in accordance with the Internet and Use Policies. Please note - individual staff members and their line managers are responsible for ensuring that personal use does not interfere with the performance of work duties. Any personal use that has a negative impact on the performance of the network or systems may result in access to those sites/services being withdrawn. Illicit or illegal material must not be viewed/downloaded or obtained via or the Internet* You must not download unauthorised content/programmes onto the organisation s supported PCs/Laptops or electronic file storage areas** All authorised downloaded material must be virus checked at the time of downloading Be aware that use of internet/ is monitored and that activity logs are kept that show the content of accessed material and any impact on the capacity and performance of the network or systems. You may be required to make IT equipment/systems (that you use) available at any time for audit by the organisation Lock your workstation if you are leaving it [CTRL+ALT+DEL] or shut down or log off. Do not allow anyone else access whilst you are logged in to the computer. Avoid keeping confidential information on the hard drive. Ensure that work is saved to the network where possible, preferably within your departmental shared drive (if you need further advice about this ring The Service Desk on ) Do not divulge confidential information held on the computer to someone who has no right or permission to that information. Do not attempt to access any part of the system for which you do not have authorisation, or use information from the system inappropriately e.g. to find a colleague s birthday or address. Whilst accessing network,internet and services away from the organisations premises Please ensure caution when printing of any work related material; never leave printouts on printers unattended
20 is an insecure system. If you have a requirement to transfer sensitive electronic personal information (i.e. that relating to identifiable individuals) please refer to the policy or The Service Desk on for advice. Internet services are subject to unforeseen failure from time to time and cannot be guaranteed. The Health Informatics Service will maintain the network up to connection to the NHS Wide Network. BT maintains the network service up to the connection to the Internet. Any faults with individual external sites or services cannot be supported. * Advice:Please refer to the Internet user Policy for what constitutes illicit or illegal material or contact The Service Desk on ** For advice on authorised and unauthorised computer content/programmes please contact The Service Desk (Health Informatics) at on